Accurate Modeling of Modbus/TCP for Intrusion Detection in SCADA Systems

Modbus/TCP is used in SCADA networks to communicate between the Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). Therefore, deploying Intrusion Detection Systems (IDS) on Modbus networks is an important security measure. In this paper, the authors introduce a model-based IDS specifically built for Modbus/TCP. Their approach is based on a key observation: Modbus traffic to and from a specific PLC is highly periodic. As a result, they can model each HMI-PLC channel by its own unique Deterministic Finite Automaton (DFA).